CVE-2026-6246 is a stored cross-site scripting vulnerability in the Simple Random Posts Shortcode WordPress plugin (versions up to 0.3). The flaw exists because the plugin does not properly sanitize or escape the 'container_right_width' attribute in the 'simple_random_posts' shortcode. This allows authenticated users with contributor or higher privileges to inject arbitrary JavaScript code into pages, which executes in the context of users viewing those pages. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting network attack vector, low attack complexity, required privileges of low (contributor), no user interaction, and impacts on confidentiality and integrity but not availability. There is no vendor advisory or patch currently available, and no known exploits in the wild have been reported.

An attacker with contributor-level access or higher can exploit this vulnerability to inject malicious scripts into WordPress pages via the vulnerable shortcode attribute. This can lead to unauthorized actions such as session hijacking, defacement, or other client-side attacks when other users view the injected content. The impact affects confidentiality and integrity of user sessions and data but does not affect availability. Since the attack requires authenticated access, the risk is limited to environments where such user roles exist.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access to trusted users only and consider disabling or removing the Simple Random Posts Shortcode plugin if it is not essential. Additionally, monitor for updates from the plugin author or WordPress security channels for any forthcoming patches or mitigations.